Solved

I found a file that is some sort of virus that I can't remove

Posted on 2004-04-22
24
175 Views
Last Modified: 2013-12-04
I am dealing with a dll file called ndhygv.dll on a windows xp home edition PC.  I can't remove the dll.

I found it in the registry, delete the key and it puts it back by itself.

I delete it from startup using msconfig and close and don't reboot to get out of msconfig.  Then I run msconfig again and look at startup.  It is there again.  The virus? is putting it back in for me.  In safe mode, I can't delete the file either.

Any ideas.  <removed by modulo>

I would greatly appreciate any assistance.

Tim Chapman
0
Comment
Question by:TimChapman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 3
  • +2
24 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 500 total points
ID: 10896292
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896294
TimChapman,
> I delete it from startup using msconfig

Did you mean disable it ?  

go to startup tab in msconfig and disable all applications. reboot the machine and check if it would appear. If it doesnot appear then enable the applications one by one and check which application might cause that ..

#Sun
0
 

Author Comment

by:TimChapman
ID: 10896326
I did go to the startup tab and disable each application other than the norton applications.  I also tried unchecking the button that says Load Startup Items.  I would then exit msconfig without rebooting.  I would then immediately open it again.  The Load Startup Items button would be checked and the item would be checked in the Startup list.  The virus? is doing this itself.  Same when I would remove it from the registry.  It would put itself back.  This is a very difficult problem to solve because Safe mode did not help either.  Same results there.  It loads in safe mode.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896356
TimChapman,
>  I would then exit msconfig without rebooting.  

As I had previously said , after doing that in msconfig reboot the machine and see what happens.

have you used the spyware removal tools and checked for virus ?

Post back doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896386
TimChapman,

Also try this

First make a backup of your registry

then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it

For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896391
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
0
 

Author Comment

by:TimChapman
ID: 10896418
After disabling all applications in MSconfig and rebooting, I ran msconfig again.  The entry was still there and the startup items were enabled.  Having disabled them before shutdown, it seems that the virus? is reenabling the startup items.

> in that folder in desktop

What folder are you referring to?
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896435
oh i meant this ndhygv.dll

search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it

msconfig checks these in registry


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

go to registry , check these and remove anything that you are not sure of
0
 

Author Comment

by:TimChapman
ID: 10896488
I removed all entries with ndhygv.dll.  Before I could even close regedit, they were back again.  This is very insidious.   The run and runonce keys, I checked and deleted all I did not recognize, but it did no good as these entries would return by themselves.  There is not point in deleting more entries as the changes won't take effect until I reboot and the dll is run again.  The needs tougher measures and I don't know where to begin.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896492
Also try doing these

a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options

b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside

c) Also do disk cleanup
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896501
TimChapman,

have you tried all the spyware tools and virus yet ? try them and post back..

check your control panel --> add/remove programs of any unknown program. If you have uninstall them

Also use these registry cleaners

jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic  http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac  http://regvac.com/fregvac.htm#download
0
 

Author Comment

by:TimChapman
ID: 10896512
I tried deleting temporary internet files.  Some won't delete.

I did not run %temp%.   Please tell me what that should do.  I have never seen that before.

The computer hangs when I try to do a disk cleanup.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896521
TimChapman,
> I tried deleting temporary internet files.  Some won't delete.

what do you mean by this ?

go to start --> run and typein " %temp% "  (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..


Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup

restart the machine after doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896729
what is the status ?

have you tried all spyware tools , virus scanners etc

remove all those temp files ..

post back
0
 

Author Comment

by:TimChapman
ID: 10896770
I have to wait to do those.  The computer is at a client's location.  He may not want to pay me the hours needed to continue.  I emailed him to ask him to let me have the computer at my site so I can work on it without charging him.  I would like to get to the bottom of this virus (?).  I was very suprised to find nothing about it when I searched google.  Looks like something new.  

I don't understand the Experts Exchange regarding the Accept button.  When I accept a reply, does that mean the sender gets the 500 points?

Thanks for your effort on this.  I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.

Tim
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896789
looks like it is a new virus or trojan or spyware

This is how it works

u assign 500 pts or how  much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts

say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2

Hope you understand
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897331
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897333
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897531
This is how to find ndhygv.dll and stop it.

1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx}/InprocServer32 then identify all the {yyyy-yyyy-yyyy} in the regkey like HKCR/CLSID/{xxxx-xxxx-xxxx}/Implemented Categories/{yyyy-yyyy-yyyy}
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/Internet Explorer/ActiveX Compatibility/ then set a kill bit according to:

How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
0
 
LVL 5

Expert Comment

by:barcelona_blom
ID: 10898214
Tim Chapman

Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.

RegSvr.Exe /u \windows\[controlname]       click start then run and enter the command.

Then delete the registry entries for the file.

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 10911833
regsvr32 /u %systemroot%\system32\ndhygv.dll

ENTER

regsvr32 /u %systemroot%\system\ndhygv.dll

ENTER

good luck
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question